this post was submitted on 26 Apr 2024
289 points (85.9% liked)

Technology

59349 readers
4150 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
  • Deloitte confirms PIA's no-log claims, with servers running on RAM-only system for maximum privacy.
  • Independent audit verifies PIA's infrastructure is not vulnerable to third-party exploitation, ensuring online activity remains private.
  • PIA offers full transparency with open-source apps and regular third-party audits, proving its commitment to data protection.
top 50 comments
sorted by: hot top controversial new old
[–] nothingcorporate@lemmy.world 233 points 6 months ago (16 children)

PIA got purchased by Kape Technologies a couple years ago. With their track record, you can choose to believe the report issued by consultants they paid, or you can just go to companies with better track records, like Mozilla VPN or Mullvad.

Seems like an easy choice to me.

[–] Dark_Arc@social.packetloss.gg 64 points 6 months ago (4 children)
[–] Alk@lemmy.world 25 points 6 months ago (9 children)

I use Proton vpn and love it. I actually like mullvad more as a standalone vpn, but Proton vpn is still great and I use it because of the whole bundle. It's a great deal and VERY convenient. The unlimited email aliases built in seamlessly to the password manager is a game changer for easy to use privacy.

load more comments (9 replies)
[–] conciselyverbose@sh.itjust.works 11 points 6 months ago

Proton also, unlike PIA, doesn't routinely crash and break my VPN access on iPhone.

My sessions go until I disable them (for stuff like sports betting that legally has to restrict VPN usage).

[–] UnsavoryMollusk@lemmy.world 3 points 6 months ago* (last edited 6 months ago) (1 children)

Do they have port forwarding?

load more comments (1 replies)
[–] Black616Angel@discuss.tchncs.de 36 points 6 months ago (1 children)

Mozilla VPN vor Mullvad

I mean, Mozilla VPN is Mullvad, so yeah. You can trust Mullvad.

[–] phoneymouse@lemmy.world 7 points 6 months ago (1 children)

Does Mullvad let you use a custom DNS?

[–] Sunny@slrpnk.net 6 points 6 months ago
[–] No_Eponym@lemmy.ca 20 points 6 months ago

Yeah as soon as I saw Delloite I knew it was shit.

[–] unbroken2030@lemmy.world 18 points 6 months ago

I understand the sentiment about the inherent conflict of interest with paying someone to audit your software, but it's highly unlikely that anyone is going to do that work for free. I'd want some evidence before taking your comment for anything other than opinion/bias. I don't use any of these products so whatever the reality is doesn't affect me, it just seems like nuance is too easily lost.

[–] sunbeam60@lemmy.one 6 points 6 months ago (1 children)

What’s wrong with PIA’s track record?

[–] wanderer@scribe.disroot.org 3 points 6 months ago (1 children)

Kape used to be a malware company or something. Also, a few years ago PIA made a negative statement about Proton but instead it backfired. I can't remember exactly what it was

load more comments (1 replies)
[–] WhatsThePoint@lemmy.world 5 points 6 months ago* (last edited 6 months ago) (4 children)

I used Nord VPN after a lot of research when I initially started using them years ago. What have you heard about them?

[–] Alk@lemmy.world 54 points 6 months ago (4 children)

Personally I don't trust companies who aggressively advertise like they do, but that's not a real reason grounded in evidence. It just tends to be correct. I recommend Mullvad.

load more comments (4 replies)
[–] Dark_Arc@social.packetloss.gg 33 points 6 months ago* (last edited 6 months ago) (4 children)

Nord had a very bad incident a few years ago https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

They were also REALLY late to the disclosure and tried to play it off as "them being responsible":

NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”

They (at least were) also very aggressive about advertising (all over YouTube at one point sponsoring all kinds of stuff)... Which is typically the opposite of what you want.

Proton has had write ups in the past about the VPN review market as well and how a lot of reviews are "whoever pays us the most money is the top VPN." Proton has a strong enough track record in their other software for doing the right thing and truly valuing security, privacy, and open standards, so I'm inclined to believe them. VPN was one of the first spinoff products they launched when it was still mail, and they did so because some of their more sensitive customers (think journalists in some bad parts of the world) were having to rely on third party VPNs of questionable integrity.

I trust Mullvad and Proton at this point for VPNs, nobody else.

load more comments (4 replies)
load more comments (2 replies)
load more comments (10 replies)
[–] henfredemars@infosec.pub 54 points 6 months ago (2 children)

Hey, if your adversarial model does not include nation states, it’s a great service. Totally fine against basic IP tracking, and I haven’t received a nastygram for sharing movies in years.

[–] ayaya@lemdro.id 9 points 6 months ago (1 children)

Exactly. If all you want to do is torrent then it's by far the best option. $2.22/mo ($80 for 3 years) which is less than half the price of anything else, has portforwarding, and with wireguard I can saturate a full gigabit no problem on private trackers.

load more comments (1 replies)
[–] db2@lemmy.world 9 points 6 months ago (3 children)

Which one is good against nation states? Asking for a friend.

[–] Itsamelemmy@lemmy.zip 35 points 6 months ago

If you need to ask, you probably don't know enough to keep yourself anonymous. But it starts with tails, tor and not doing anything stupid like reusing user names that you use on the clear web or signing into something like Facebook. If a nation state has reason to find out who you are, they most likely will. All it takes is one little mistake that you most likely didn't even know was a mistake.

[–] henfredemars@infosec.pub 20 points 6 months ago (2 children)

Use the one they’re using: Tor.

There’s a long list of reasons why you might not want to use it though.

[–] 13262483@lemmy.wtf 29 points 6 months ago (2 children)

By default, Tor doesn't protect you from nation states. It's a start, but you have to be an intelligent user who understands statistics to have some protection from nation states.

Let's assume there's two teams, because in geopolitics, it seems like we divide into "west" and "east." Let's assume team 1 controls 10% [1] of the relays, they have more than enough budget to pay for the entire network 100x over. That means, on entry, there's a 10% probability that you will land on their entry node.

Now, to do traffic analysis, they need you to also land on their exit. The probability of that is also 10% in the example. In other words, 10% of the time that you have their entry, you will also have their exit. (or, for 1 in every 100 circuits, you will have a compromised circuit) If you use Tor everyday for a year, you'll likely have a fucked circuit at least once. If you use something like Whonix that spawns like 10-20 circuits at start, you'll have a compromised circuit weekly.

A compromised circuit isn't the end of the world. Most internet traffic today uses end to end encryption, [2] so as long as the service is outside of team 1's jurisdiction, your communications are safe... but team 1 knows who you are, and that you are talking to someone they don't trust. If it's in their jurisdiction, they can get a warrant, and they can fully de-anonymize the traffic between the service that you were using.

All of this is to say, it's hard to stay in the dark if your adversary is information intelligence. The best way to stay invisible is to use the network as infrequently as possible, and to make the time correlation very far off. (Use custom relays that delay when the traffic travels so that traffic analysis like this example is not possible)

By the way, in the US, the NSA has multiple sites where they copy the traffic on the backbone for analysis. They're performing some deep packet analysis. These systems are going to improve in the future with machine learning. As an example, in China, it's not exactly simple to connect to Tor as some methods of concealing Tor traffic result in detection from machine learning that they're performing on all traffic.

[1] This is a hypothetical. They could control 0%, 5%, 25%, etc. It's publicly unknown how much they control or if they try to control the network at all.

[2] Be careful with your assumptions about https. Where are the root authorities? Why should we trust them? It's better security to never trust them.

[–] brbposting@sh.itjust.works 5 points 6 months ago

Fascinating. Thank goodness my life doesn’t depend on that kind of threat modeling.

load more comments (1 replies)
[–] Nfamwap@lemmy.world 8 points 6 months ago (1 children)
[–] henfredemars@infosec.pub 32 points 6 months ago (1 children)

Biggest problem is that it’s free. That means you’ve got very little bandwidth that’s usable since it’s being supplied out of generosity for no direct compensation that could be reinvested into the network. There’s just too many users and not enough bandwidth.

And because it actually works, it’s very difficult or impossible to police how it’s used. That means your precious bits are just as important as the 100,000 spam emails that another user is trying to send with the service.

Finally, you might not want to use it because you’re sharing the same exit nodes with many other users. This means services tend to block those IP addresses outright, limiting what you can use it for, and if you leak and identify such as your name maybe you don’t want that tied to an IP address that actual terrorists might have used.

I write this as someone who owns a bunch of official Tor merchandise.

[–] db2@lemmy.world 17 points 6 months ago (1 children)

Spam emails are about the tamest dark part of the dark web though...

[–] henfredemars@infosec.pub 10 points 6 months ago (1 children)

I’m trying to be nice for the general public that could be reading this post. But yes, there’s a lot of bad stuff out there, and VPN service providers aren’t just getting paid to invest in tons of bandwidth, but they are also doing some policing of their service. They just don’t talk about it. It’s bad for business. And yes, you can police a service without technically logging any data.

[–] db2@lemmy.world 3 points 6 months ago (2 children)

What is "official tor merchandise" btw?

[–] Zorque@kbin.social 25 points 6 months ago (1 children)
load more comments (1 replies)
[–] henfredemars@infosec.pub 10 points 6 months ago

They sell things! I’ve bought mostly graphic clothing at funding events. You’ll find some presence at big hacker conventions. You could sometimes get a few goodies if you operate large nodes or provide significant contributions in other ways.

[–] Socsa@sh.itjust.works 4 points 6 months ago (1 children)

The solar powered RPI jump box you installed on a telephone pole outside the McDonald's.

load more comments (1 replies)
[–] crozilla@lemmy.world 44 points 6 months ago

Yeah, I dunno if I’d trust Deloitte about anything, not to sh!t on PIA’s tech which I have no knowledge of.

https://duckduckgo.com/?q=Deloitte+scandals&t=ffip&ia=web

[–] lemming741@lemmy.world 43 points 6 months ago
[–] klef25@lemmy.world 37 points 6 months ago (1 children)

This just reads like an ad. There doesn't seem to be any journalistic value to this article and it's got a clickbait title. At minimum, it should have noted results for competitors.

load more comments (1 replies)
[–] Omgboom@lemmy.zip 14 points 6 months ago

Lol what the hell does Deloitte know about technical infrastructure.

[–] NGC2346@sh.itjust.works 12 points 6 months ago (2 children)

I am dedicated to Proton to be honest but PIA always seemed good to me based on these type of situations and audits.

[–] Molecular0079@lemmy.world 34 points 6 months ago (1 children)

I think there was some bad vibes when they got bought by a less than reputable company a while back. I know a lot of people, myself included switched to Mullvad. I am on Proton now though for the port forwarding.

[–] MrPoopbutt@lemmy.world 4 points 6 months ago (1 children)

What is the benefit of port forwarding?

[–] johannesvanderwhales@lemmy.world 4 points 6 months ago (2 children)

The most common use case is probably bittorrent. Without port forwarding, you won't be connectable. But anything where someone might need to connect to your local machine from the internet, like hosting game servers or other self-hosting.

load more comments (2 replies)
[–] Dark_Arc@social.packetloss.gg 6 points 6 months ago (4 children)

PIA was good until they got bought out. That's when my friend and I switched our VPNs (me to proton, him to express).

A shady parent company isn't what you want in a VPN.

[–] doublejay1999@lemmy.world 17 points 6 months ago (1 children)

… um…..Express is also owned by Kape

load more comments (1 replies)
[–] HeckGazer@programming.dev 12 points 6 months ago* (last edited 6 months ago)

PIA got bought out
switched to express

Oh no

[–] makingrain@lemm.ee 9 points 6 months ago

On September 13, 2021, it was reported that ExpressVPN had been acquired by Kape Technologies, an LSE-listed digital privacy and security company

[–] I_Miss_Daniel@lemmy.world 3 points 6 months ago* (last edited 6 months ago) (2 children)

I'm on Express VPN only because they apparently specialise in avoiding geoblocks and VPN detection for overseas TV sites etc. (Plus three months free for being a TWiT.) So far it's true for BBC iPlayer, RTe Player and UK Channel 4. For this purpose I'm not overly worried about how log-resistant they are, but interesting to keep up with the score here. The integrated 'ad blocking' is also useful, but slower than AdGuard as it seems pages have to wait for assets to fail to load before displaying rather than just being 404'd.

load more comments (2 replies)
[–] werefreeatlast@lemmy.world 8 points 6 months ago

Remember when Google wasn't evil?

Nah, it's time for something other than email that does what email did before but without the ability to spam or inject bad stuff.

[–] derpgon@programming.dev 4 points 6 months ago

I wonder, is there a way to ensure they work the way they advertise to besides being investigated by the police and observing the result? It has to be blatant in order to force the VPN service to comply if they can.

It's a case od who do you believe more. The provider or the police.

[–] itsgroundhogdayagain@lemmy.ml 4 points 6 months ago

Only 1 more year left on my PIA subscription. /sigh

load more comments
view more: next ›